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WHAT IS CLAIMED IS: 

1. An IO-requesting method of issuing an IO request to 
a storage apparatus of a computer system by execution of a 
program in said computer system, wherein a program identifier 
set in advance in said program and a request address are applied 
to a first function for inputting two values to generate one 
value used as a new address with said program identifier appended 
thereto, and said 10 request is issued by using said new address. 

2. A computer executing a first program issuing an 10 
request to a storage apparatus and a second program for 
collecting said IO request and transmitting said IO request as 
an IO command to said storage apparatus wherein: 

a program identifier set in advance in said first program 
and a request address are applied to a first function for 
inputting two values, that is, said program identifier and said 
request address, to generate one value used as a new address 
with said program identifier appended thereto, and said IO 
request is issued by using said new address; 

said second program has a table associating a program 
identifier, a logical volume existing in said storage apparatus 
and a network address with each other; and 

if said 10 request is an IO request issued to a logical 
volume existing in said storage apparatus as a logical volume 
prescribed to be a protected logical volume, a second function 
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for carrying out an operation to input one value for generation 
of two output values as an operation inverse to that of said 
first function generates an original request address and a 
program identifier, that is, said two output values, from said 
5 one input value, that is an address specified in said 10 request 
as said new address , said table is searched for a network address 
associated with said generated program identifier and a logical 
volume indicated by said generated original request address and 
a communication with said storage apparatus is carried out by 

10 using said network address as an address of a transmission 
originator in order to issue an IO command to said original 
request address. 

3. A computer system comprising one or more computers 
and one or more storage apparatus connected to said computers 

15 by a network apparatus wherein: 

in each of said computers: 

a first program issuing an IO request to a storage 
apparatus and a second program for collecting said IO request 
and transmitting said IO request as an IO command to said storage 

20 apparatus are executed; 

a program identifier set in advance in said first 
program and a request address are applied to a first function 
for inputting two values, that is, said program identifier and 
said request address , to generate one value used as a new address 

25 with said program identifier appended thereto, and said IO 
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request is issued by using said new address; 

said second program has a table associating a 
program identifier, a logical volume existing in said storage 
apparatus and a network address with each other; and 

if said IO request is an IO request issued to a 
logical volume existing in said storage apparatus as a logical 
volume prescribed to be a protected logical volume, a second 
function for carrying out an operation to input one value for 
generation of two output values as an operation inverse to that 
of said first function generates an original request address 
and a program identifier, that is, said two output values, from 
said one input value, that is an address specified in said IO 
request as said new address , said table is searched for a network 
address associated with said generated program identifier and 
a logical volume indicated by said generated original request 
address and a communication with said storage apparatus is 
carried out by using said network address as an address of a 
transmission originator in order to issue an IO command to said 
original request address, and 

on the basis of said network address used as an address 
of a transmission originator, said network apparatus determines 
whether or not a communication with said storage apparatus can 
be carried out . 

4. A computer system according to claim 3 wherein, in 
place of said network apparatus, said storage apparatus 
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determines whether or not an access to a logical volume existing 
in said storage apparatus can be made. 

5. An access control method adopted for a storage 
apparatus, said method comprising the steps of: 
5 recognizing a received IO command as an IO command issued 

to a logical volume existing in said storage apparatus as a 
logical volume prescribed to be a logical volume protected from 
a received IO command; 

using a second function for inputting one value to 
10 generate two output values as a function for obtaining a second 
address and a program identifier , that is , said two output values , 
from said one value, that is, a first address specified in said 
IO command; 

determining whether or not an access to said logical 
15 volume can be made on the basis of said program identifier and 
an association table; and 

replacing said first address specified in said IO command 
with said second address and processing said IO command in case 
an access by using said IO command is determined to be an access 
20 that can be made, 

wherein said association table is provided as a table for 
associating a logical-volume identifier with a program 
identifier for identifying a program allowed to make an access 
to a logical volume identified by said logical-volume 
25 identifier. 
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6. An access control method adopted for a storage 
apparatus, said method comprising the steps of: 

recognizing a received IO command included in a packet 
transmitted through a network as an IO command issued to a 
logical volume existing in said storage apparatus as a logical 
volume prescribed to be a logical volume protected from a 
received IO command; 

using a second function for inputting one value to 
generate two output values as a function for obtaining a second 
address and a program identifier, that is , said two output values , 
from said one value, that is, a first address specified in said 
IO command; 

determining whether or not said packet can be transferred 
to said storage apparatus on the basis of said program identifier 
and an association table; and 

replacing said first address specified in said IO 
command with said second address and transmitting said packet 
in case an access by using said IO command is determined to be 
an access that can be made, 

wherein said association table is provided as a table for 
associating a storage-apparatus identifier for identifying 
said storage apparatus, a logical-volume identifier for 
identifying a logical volume existing in said storage apparatus 
and a program identifier for identifying a program allowed to 
make an access to said logical volume identified by said 
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logical-volume identifier with each other. 



